Preview Tool

Cisco Bug: CSCvv35565 - L3 ECMP load balancing not working as expected for fragmented packets.

Last Modified

Oct 08, 2020

Products (1)

  • Cisco Catalyst 3850 Series Switches

Known Affected Releases


Description (partial)

Fragments of the same packet might be hashed differently depending on the tuple.

By default we use the following parameters for load-balancing: src ip, dest ip, source port, dest port and L4 protocol.

When the packet is fragmented the 5-tuples are being used for the hash of the 1st fragment only, however, the rest of the fragments do not have all 5-tuples (only src ip, dest ip, and L4 protocol) which is causing the hash calculation to give them a different path.

This can happen with packets generated by the switch or with routed packets passing through the switch.

This was observed on a L3 ECMP dual ISP scenario.
Specifically for fragmented EAP-TLS radius packets, ECMP hashes the fragments differently causing the fragments to reach the remote ISE server out of order and the authentication to timeout.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.